.svg)
SOC2 Certified
PCI-DSS Compliant
SAP Partner
© 2024 Sonet.io, Inc.
Sonet.io Data Processing Addendum
1. Introduction
This Sonet.io Data Processing Addendum (“Addendum”) is an integral part of Sonet.io, Inc.’s Terms of Service (or instead, where there is an existing service agreement in place between Customer and Sonet.io prior to the effective date of this Addendum (the “Service Agreement”), it forms an integral part of that Service Agreement), which together with one or more OrderForms and exhibits, form the “Agreement”between Sonet.io, Inc. (“Sonet.io”)and the Customer who agreed to and is party to the Terms of Service or Service Agreement (“Customer”), and is made part of the Agreement. This Addendum governs the manner in which Sonet.io shall Process Customer Personal Data on behalf of Customer (who is Controller of the data subject to this Addendum) and only applies to the extent Sonet.io serves as a Processor of such Customer Personal Data on behalf of Controller. This Addendum shall be effective on the date agreed to by Customer and will automatically terminate upon expiration or termination of the Agreement. Except for the changes made by this Addendum, the Agreement remains unchanged and in full force and effect. In the event of a conflict between the Agreement, including Order Forms and exhibits, and this Addendum, this Addendum shall control. The parties agree that this Addendum shall replace any existing data processing addendum the parties may have previously entered into in connection with the Sonet.io Services. Capitalized terms have the meaning given to them in the Agreement, unless otherwise defined below.
2. Definitions
For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.
a) “Applicable Data Protection Law(s)”means the relevant data protection and data privacy laws, rules and regulations to which the Customer Personal Data are subject. “Applicable Data ProtectionsLaw(s)” shall include, but not be limited to, the General Data ProtectionRegulation (EU 2016/679) (the “GDPR”)and equivalent requirements in the United Kingdom including the Data Protection Act 2018 and the United Kingdom General Data Protection Regulation (“UK Data Protection Law”), and the California Consumer Privacy Act,Cal. Civ. Code § 1798.100 et seq., including its regulations and the amendments made by the California Privacy Rights Act of 2020 (“CCPA”) and privacy laws passed by other U.S. states (together with the CCPA, “U.S. State Privacy Laws”).
b) “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.Controller is also a “business,” as that term is defined in the CCPA.
c) “CustomerPersonal Data” means Personal Data pertaining to Customer’s users received or collected by Sonet.io, provided by Customer in its capacity as Controller to Sonet.io, the Processor. The Customer Personal Data and the specific uses of the Customer Personal Data are detailed in Schedule 1 as required by the Applicable Data Protection Laws.
d) “PersonalData” shall have the meaning assigned to the terms “personal data”, “personal information” or other similar terminology under Applicable Data Protection Law(s).
e) “Process,” “Processes,” “Processing,” “Processed” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
f) “Processor” means a natural or legal person, public authority, agency or other body which Processes Customer Personal Data subject to this Addendum. Processor is also a “service provider,” as that term is defined in the CCPA.
g) “SecurityIncident(s)” means the unauthorized access, use or disclosure of Customer Personal Data.
h) “Sensitive Personal Data” shall have the meaning assigned to the terms “sensitive personal information,” “sensitive personal data,” or “special categories of personal data”under Applicable Data Protection Law(s)and shall include Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
i) “Standard Contractual Clauses”shall mean, only as applicable to Customer, (i) the UK StandardContractual Clauses; and (ii) 2021 Standard Contractual Clauses.
k) “Third Party(ies)” means Sonet.io-authorized contractors, agents, vendors and third-party service providers (i.e., sub-processors)that Process Customer Personal Data.
l) “UK Standard Contractual Clauses” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the effective date of this Addendum at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/),completed as set forth in this Addendum.
m) "2021 Standard Contractual Clauses" means the Standard Contractual Clauses approved by the European Commission in decision 2021/914, completed as set forth in this Addendum.
3. Data Handling, Access and Processing
a) Role of the Parties.
As between Sonet.io and Customer, Customer is the Controller of Customer Personal Data, and Sonet.io shall Process Customer Personal Data as a Processor acting on behalf of Customer, as to the Processing identified in Schedule 1.
b) General Compliance by Sonet.io. Customer Personal Data shall be Processed by Sonet.io to provide the Sonet.io Services and otherwise in compliance with the terms of this Addendum and all Applicable Data ProtectionLaw(s).
c) GeneralCompliance by Customer. Customer agrees that (i) it shall comply with its obligations as Controller under Applicable Data Protection Law(s)in respect of its Processing of Customer Personal Data and any Processing instructions it issues to Sonet.io, and (ii) it has provided notice and obtained (or shall obtain) all necessary consents (including without limitation, verifiable consent) and rights necessary under Applicable Data Protection Law(s) for Sonet.io to Process Customer Personal Data and provide the Sonet.io Services pursuant to the Agreement and this Addendum.
d) Sonet.io and Third Party Compliance. Sonet.io agrees to (i) enter into a written agreement with Third Parties regarding such Third Parties’ Processing of Customer Personal Data that imposes on such Third Parties data protection and security requirements for Customer Personal Data that are compliant with Applicable Data Protection Law(s); and (ii) remain responsible to Customer for Sonet.io’s Third Parties’ (and their sub-processors’ if applicable) failure to perform their obligations with respect to the Processing of Customer Personal Data.
e) Authorization to Use Third Parties. To the extent necessary to fulfill Sonet.io’s contractual obligations under the Agreement or any Order Form, Customer hereby agrees that Sonet.io’s Affiliates may be retained as sub-processors, and Customer authorizes (i) Sonet.io and Sonet.io’s Affiliates to engage Third Parties, including Google, Inc. (hosting and datastorage) and (ii) Third Parties to engage sub-processors. Any transfer of Customer Personal Data shall comply with all Applicable Data Protection Law(s).
f) Right to Object to Third Parties. Sonet.io (and/or its Affiliates) shall engage a new Third Party only after Sonet.io has provided Customer with notification of a new Third Party. To receive notification via email regarding any new Third Party, Customer should email privacy@sonet.ioto request subscription to such notices. If Customer does not contact privacy@sonet.io with any such request, Sonet.io's posting of the name of such Third Party on its Third-Party List (available at https://www.sonet.io/info/subprocessors will be deemed to constitute notice of a new Third Party to Customer under this provision. Customer will have ten (10) calendar days to object after notice is given. In the event Customer objects within ten (10) calendar days after notice is given, Sonet.io will make reasonable efforts to address Customer's objection. After this process, if a resolution has not been agreed to within ten (10) calendar days, Sonet.io will proceed with engaging the Third Party. If Customer's reasonable objection remains unresolved, Customer will be given the opportunity to terminate the Sonet.io Services for convenience without penalty as its sole and exclusive remedy or another such resolution as the parties may agree. To the extent that Sonet.io reasonably believes engaging a new Third Party on an expedited basis is necessary to protect the confidentiality, integrity or availability of Customer Personal Data or avoid material disruption to the Services, Sonet.io reserves the right to give such notice as soon as reasonably practicable.
g) Following Instructions. Sonet.io shall Process Customer Personal Data only in accordance with the documented instructions of Customer as specifically authorized by the Agreement or Processing to comply with other reasonable documented instructions provided by Controller (e.g., via email) where mutually agreed to by Processor and provided such instructions are consistent with and not in conflict with the terms of the Agreement. Sonet.io will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions or Applicable Data Protection Law(s).The Agreement is Controller’s complete and final documented instructions at the time of signature to Processor for the Processing of Personal Data.
h) Confidentiality. Any person authorized to Process Customer Personal Data must agree to maintain the confidentiality of such information or be under an appropriate statutory or contractual obligation of confidentiality.
i) Personal Data Inquiries and Requests. Sonet.io agrees to comply with all reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Applicable Data Protection Law(s)(“Privacy Request”). Sonet.io shall assist Customer in answering or complying with any Privacy Request by making available Customer Personal Data and technical processes to enable Customer to respond to any Privacy Request. If Sonet.io receives a request from a Data Subject in relation to their Customer Personal Data, Sonet.io will advise the Data Subject to submit their request to Customer, and Customer will be responsible for responding to any such request.
j) Prior Consultation. Sonet.io agrees to provide reasonable assistance to Customer where, in Customer’s judgement, the type of Processing performed by Sonet.io is likely to result in a high risk to the rights and freedoms of natural persons (e.g., systematic and extensive profiling, or where the Processing uses new technologies) and thus requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
k) Demonstrable Compliance. Sonet.io agrees to keep records of its Processing in compliance with Applicable Data Protection Law(s)and provide such records to Customer upon reasonable request to assist Customer with complying with supervisory authorities’ requests. Customer retains the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data, including any use of Customer Personal Data not expressly authorized in this Addendum.
l) Processing of Certain Types of Personal Data. Customer agrees that it shall not use the Sonet.io Services to Process Sensitive Personal Data without Sonet.io’s explicit and prior written consent.
m) Other Obligations. Sonet.io hereby certifies that it understands its restrictions and obligations set forth in the CCPA as well as in this Addendum, and will comply with those restrictions and obligations. Except as explicitly authorized by Applicable Data Protection Laws, Sonet.io shall:
• not retain, use, or discloseCustomer Personal Data outside of the directbusiness relationship between Customerand Sonet.io that would renderit a “Third Party” underapplicable U.S. State Privacy Laws;
• not “sell” or “share” any Customer Personal Data, as such terms are defined in applicable U.S. State Privacy Laws, to any thirdparty;
• not attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Customer Personal Data without Customer’s express written permission;
• comply with any applicable restrictions under Applicable Data Protection Law(s) on combining Customer Personal Data with personal data that Sonet.io receives from, or on behalf of, another person or persons, or that Sonet.io collects from any interaction between it and any individual;
• provide the same level of protection for Customer Personal Data as is required under Applicable Data Protection Law(s)applicable to Customer; and
• not otherwise engage in any Processing of Customer Personal Data that is prohibited or not permitted by“processors” or “service providers” under Applicable Data Protection Law(s).
4. International Data Transfer Mechanisms
Customer authorizes Sonet.io and its Third Parties to transfer Customer Personal Data across international borders, including from the European Economic Area or the UnitedKingdom to the United States. Any cross- border transfer of Customer Personal Data subject to the GDPR or the UK Data Protection Law must be supported by an approved adequacy mechanism.
a) UK Standard Contractual Clauses:
i) General. The parties acknowledge and agree that to the extent that Sonet.io Processes any Customer Personal Data under the Agreement, any related OrderForms, or exhibits, that are subject to the UK Standard Contractual Clauses, Sonet.io and Customer hereby enter into the UK Standard Contractual Clauses for Controllers to Processors(and incorporated into this Addendum by reference). The UK Standard Contractual Clauses shall be interpreted in a manner consistent with the terms of this Addendum and Applicable Data Protection Law(s). To the extent that the terms of this Addendum directly contradict the UK Standard Contractual Clauses, the UKStandard Contractual Clauses will control.
ii) Application. The UK StandardContractual Clauses will apply to (i) the legal entity that has entered into aService Agreement incorporating this Addendum and entered into the UK Standard Contractual Clauses as a data exporter, and (ii) all Affiliates of Customer established within the United Kingdom, which have signed Order Forms for the Services. For purposes of the UK Standard Contractual Clauses, the aforementioned entities will act as the “data exporters” and Sonet.io will act as the “data importer”. The UK Standard Contractual Clauses shall be deemed completed as follows (with undefined capitalized terms meaning the definitions in the UK Standard Contractual Clauses):
(1) Table 1 of the UK StandardContractual Clauses: (a) the Parties’ details shall be the parties and theiraffiliates to the extent any of them is involved in such transfer, including those set forth in the Appendix of this Addendum; and (b) the Key Contact shall be the contacts set forth in the Appendix of this Addendum.
(2) Table 2 of the UK Standard Contractual Clauses: The Approved EU SCCs referenced in Table 2 shall be the 2021 Standard Contractual Clauses.
(3) Table 3 of the UK Standard Contractual Clauses: Annex 1A, 1B, II, and III shall be set forth in Section 3(e) and the Appendix of this Addendum.
(4) Table 4 of the UK Standard Contractual Clauses: Either party may end this Addendum as set out in Section 19 of the UK Standard Contractual Clauses.
(5) By entering into this Addendum, the parties are deemed to be signing the UK Standard Contractual Clauses and its applicable Tables and Appendices.
b) 2021 Standard Contractual Clauses:
i) General. The parties acknowledge and agree that to the extent that Sonet.io Processes any Customer Personal Data transferred from the European Economic Union or Switzerland under the Agreement, any related Order Forms, or exhibits, outside the European Economic Area in a country that has not been designated as providing an adequate level of protection forPersonal Data, including the United States, Sonet.io and Customer hereby enter into the 2021 Standard Contractual Clauses for Controllers to Processors (and incorporated into this Addendum by reference). The 2021 Standard Contractual Clauses shall be interpreted in a manner consistent with the terms of this Addendum and Applicable Data Protection Law(s).To the extent that the terms of this Addendum directly contradict the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses will control.
ii) Application. The 2021 StandardContractual Clauses will apply to (i) the legal entity that has entered into aService Agreement incorporating this Addendum and entered into the StandardContractual Clauses as a data exporter and, (ii) all Affiliates of Customer established within the EuropeanEconomic Area or Switzerland, which have signed Order Forms for the Services. For purposes of the 2021 Standard Contractual Clauses, the aforementioned entities will act as the “data exporters” and Sonet.io will act as the “data importer”.Customer acts as a Controller and Sonet.io acts as Customer’s Processor with respect to the Personal Data subject to the 2021 Standard Contractual Clauses,and its Module 2 applies. With respect to the 2021 Standard ContractualClauses:
(1) in Clause 7, the optional docking clause does not apply;
(2) in Clause 9, Option 2 applies; the time period for prior notice of Third Party changes will be as set forth in Section 3(f) (Right toObject to Third Parties) of this Addendum;
(3) in Clause 11, the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply;
(4) in Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Irish law;
(5) In Clause 18(b),disputes will be resolved before the courts of Ireland; and
(6) Annexes I and II of the 2021 Standard Contractual Clauses are set forth in the Appendix of this Addendum. Annex III is not applicable as the parties have chosen general authorization under Clause9.
(7) By entering into this Addendum, the parties are deemed to be signing the 2021 Standard Contractual Clauses and its applicable Annexes.
c) Revisions. In the event that the European Commission or the United Kingdom requires the use of revised standard contractual clauses that are applicable to this Addendum, such revised standard contractual clauses shall automatically be deemed to replace the UK Standard Contractual Clauses or 2021 Standard Contractual Clauses, as applicable, without the need for any further action, unless otherwise agreed to by the parties.
d) Termination. The Standard Contractual Clauses shall automatically terminate once the Customer Personal Data transfer governed thereby becomes lawful under Applicable Data Protection Laws in the absence of such Standard Contractual Clauses on any other basis, and Sonet.io has implemented any measures necessary to comply with such basis.
5. Information Security
Sonet.io agrees to implement appropriate technical and organizational measures designed to protect Customer Personal Data as set forth inAnnex II of this Addendum (“Sonet.io Information Security and Privacy Standards”). Further, Sonet.io agrees to regularly test, assess and evaluate the effectiveness of the Sonet.io Information Security and Privacy Standards to ensure the security of the Processing. Customer acknowledges that the Sonet.io Information Security and Privacy Standards may be updated from time to time to reflect process improvements or changing practices but the modifications will not materially decrease Sonet.io’s obligations as compared to those reflected in such terms as of the Effective Date.
6. Audits
Upon request from Customer, Sonet.io agrees to reasonably cooperate with Customer for the purpose of verifying Sonet.io’s compliance withApplicable Data Protection Law(s). Upon Customer’s request pursuant to Clause9(c) of the 2021 Standard Contractual Clauses, Sonet.io will provide the copies of the requested sub- processor agreements, and Sonet.io may remove or redact all commercial or proprietary information or clauses beforehand to protect business secrets or other confidential information, and that such copies will be provided by Sonet.io in a manner to be determined in its discretion, only upon request by Customer.
7. Return or Deletion of Data
Upon written request by Customer after Customer terminates use of all Sonet.io Services, Sonet.io shall delete or provide to Customer all Customer Personal Data in its possession or control, save that this requirement shall not apply to the extent Sonet.io is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data it has archived on back-up systems, which Customer Personal Data Sonet.io shall securely isolate and protect from any further processing, except to the extent required by applicable law. The parties agree that the certification of deletion of Personal Data that is described in Clause8.5 of the 2021 Standard Contractual Clauses shall be provided by Sonet.io to Customer only upon Customer’s request.
8. Security Incident
a) Security Incident Procedure. Sonet.io will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to (i) identify and respond to suspected or known Security Incidents, mitigate harmful effects of SecurityIncidents, document Security Incidents and their outcomes, and (ii) restore the availability or access to Customer Personal Data in a timely manner.
b) Notice. Sonet.io agrees to provide prompt written notice without undue delay and within the timeframe required under Applicable Data Protection Law(s) to Customer if it knows that a Security Incident has taken place. A delay in giving such notice requested by law enforcement and/or in light of Sonet.io’s legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay. Such notice will include all available details required under Applicable Data Protection Law(s) for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
9. Limitation of Liability Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to the Agreement, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability of the Terms of Service or Service Agreement (as applicable), and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Terms of Service or Service Agreement (as applicable). For the avoidance of doubt, Processor’s total liability for all claims from the Controller and all of its Affiliates arising out of or related to the Agreement shall apply in the aggregate for all claims under Agreement, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Affiliate that is a contractual party to any such Agreement.
10. Severability If any provision of the Addendum is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that the Addendum will otherwise remain in full force and effect and enforceable.
Schedule 1 to the Sonet.io Privacy and Security Addendum
1.1 Subject Matter of Processing
The subject matter of Processing is the Sonet.io Services pursuant to the Agreement.
1.2 Duration of Processing
The Processing will continue until Sonet.io’s receipt of notification from Customer of termination of use of all Sonet.io Services.
1.3 Categories of Data Subjects
Includes the end users of Sonet.io’s websites and Services
1.4 Nature and Purpose of Processing
The purpose of Processing of Customer Personal Data by Sonet.io is the performance of the Sonet.io Services pursuant to the Agreement.
1.5 Types of Personal Data
The data collected via Sonet.io’s Services includes the following types of Personal Data:
☒ First and last name
☒ Position
☒ Employer
☒ Work address (optional)
☒ Phone number (optional)
☒ Business email address
☒ User account information
☒ Online identifiers (e.g., IP address, device ID, geolocation data)
Appendix
Annex I to the 2021 StandardContractual Clauses
This Annex forms part of the 2021 Standard ContractualClauses and/or UK Standard Contractual Clauses, as applicable. By entering into the Standard ContractualClauses incorporated in the Addendum, the parties also are agreeing to theterms of this Annex I. The Member States may complete or specify, according totheir national procedures, any additional necessary information to be containedin this Annex.
A, List of Parties
Data exporter. The data exporter is Customer and authorized affiliates of Customer, as described in the agreement. Contact: Customer’s account owner email address, or to the email address(es) for which Customer elects to receive privacy communications.
Data importer. The data importer is Sonet.io, Inc., 3031 Tisch Way, 110 Plaza West,San Jose, California USA. Contact: Dharmadendra Mohan, Chief Executive Officer, privacy@Sonet.io.
B. Description of the Transfer
Categories of Data subjectswhose personal data is transferred. The personal data transferred concern the following categories of data subjects: End users of Sonet.io’s Services and websites.
Categories of personal data transferred. The personal data transferred concern the following categories of data: Personal data collected via Sonet.io’s Services, which include the following types of device-related data: IP address, device ID, geolocation data.
Sensitive categories of data transferred. The personal data transferred concern the following specialc ategories of data: None.
Frequency of the Transfer. Continuous basis
Nature of theProcessing. The personal data transferred will be subject to the following basic processing activities: Processing necessary for the performance of the Sonet.io Services, as well as related support and professional services as set forth in the Agreement, or where directed by other reasonable documented instructions provided by the data exporter.
Purpose of the data transfer and further processing. To provide the Services under the Agreement.
Anticipated duration of processing. For the term of any existing Order Forms between Sonet.io and the data importer.
Transfers to subprocessors. The subject matter, nature, and duration of the processing is outlined at https://sonet.io/subprocessors/.
C. Competent Supervisory Authority
The Irish Data Protection Authority will be the competent supervisory authority.
Annex II to the 2021 Standard Contractual Clauses
This Annex forms part of the 2021 Standard ContractualClauses and/or UK Standard Contractual Clauses, as applicable. By entering into the Standard Contractual Clauses, the parties also are agreeing to incorporating this Annex II into the Agreement.
Description of the technical and organizational security measures implemented by the data importer
Sonet.io Information Security Standards
Sonet.io maintains a comprehensive, written information security program that contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of Sonet io.’s business; (b) the type of information that Sonet.io will store; and(c) the need for security and confidentiality of such information. Sonet.io’s security program includes:
1. Security Awareness and Training. A mandatory security awareness and training program for all members of Sonet.io’s workforce(including management), which includes:
· Training on how to implement and comply with its Information Security Program; and
· Promoting a culture of security awareness through periodic communications from senior management with employees.
2. Access Controls. Policies, procedures, and logical controls:
· To limit access to its information systems to only authorized persons
· To prevent those workforce members and others who should not have access from obtaining access; and
· To remove access in a timely basis in the event of a change in job responsibilities or job status.
3. SecurityIncident Procedures. A security incident response plan that includes procedures to be followed in the event of any Security Breach. Such procedures include:
· Roles and responsibilities: formation of an internal incident response team with a response leader.
· Investigation: assessing the risk the incident poses and determining who may be affected.
· Communication: internal reporting as well as a notification process in the event of unauthorized disclosure of CustomerData.
· Record keeping: keeping a record of what was done and by whom to help in later analysis and possible legal action; and
· Audit: conducting and documenting root cause analysis and remediation plan.
4. ContingencyPlanning. Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, pandemic flu, and natural disaster) that could damage Customer Data or production systems that contain Customer Data. Such procedures include:
· Data Backups: A policy for performing periodic backups of production data sources, as applicable, according to a defined schedule.
· Business Continuity Plan: A formal process to address the framework by which an unplanned event might be managed in order to minimize the loss of vital resources.
5. Audit Controls. Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information.
6. DataIntegrity. Policies and procedures to ensure the confidentiality, integrity, and availability of Customer Data and protect it from disclosure, improper alteration, or destruction.
7. Storage and Transmission Security. Security measures to guard against unauthorized access to Customer Data that is being transmitted over a public electronic communications network or stored electronically.
8. Secure Disposal. Policies and procedures regarding the secure disposal of tangible property containing Customer Data, considering available technology so that Customer Data cannot be practically read or reconstructed.
9. Assigned Security Responsibility. Assigning responsibility for the development, implementation, and maintenance of Sonet.io’s security program, including:
· Designating a security official with overall responsibility.
· Defining security roles and responsibilities for individuals with security responsibilities; and
· Designating a Security Council consisting of cross-functional management representatives to meet on a regular basis.
10. Testing. Regularly testing the key controls, systems, and procedures of its information security program to validate that they are properly implemented and effective in addressing the threats and risks identified. Where applicable, such testing includes:
· Internal risk assessments.
· Service Organization Control 1 (SOC1) andService Organization Control 2 (SOC2) audit reports (or industry-standard successor reports).
11. Monitoring. Network and systems monitoring, including error logs on servers, disks, and security events for any potential problems. Such monitoring includes:
· Reviewing changes affecting systems handling authentication, authorization, and auditing.
· Reviewing privileged access to Sonet.io production systems; and
· Engaging third parties to perform network vulnerability assessments and penetration testing on a regular basis.
12. Change and Configuration Management. Maintaining policies and procedures for managing changes Sonet.io makes to production systems, applications, and databases. Such policies and procedures include:
· process for documenting, testing, and approving the patching and maintenance of the Sonet.io Product.
· A security patching process that requires patching systems in a timely manner based on a risk analysis; and
· A process for Sonet.io to utilize a third party to conduct application-level security assessments. These assessments generally include testing, where applicable, for:
Insufficient authentication
Insufficient authorization
13. Program Adjustments. Monitoring, evaluating, and adjusting, as appropriate, the security program considering:
· Any relevant changes in technology and any internal or external threats to Sonet.io or the Customer Data.
· Security and data privacy regulations applicable to Sonet.io; and
· Sonet’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.
14. Devices– Ensuring that all laptop and desktop computing devices utilized by Sonet.io when accessing Customer Data:
· will be equipped with a minimum of AES128-bit full hard disk drive encryption.
Current: March 2, 2024